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Abstract 



We consider a probabilistic quantum implementation of a variation of 
the Pocklington-Lehmer N — 1 primality test using Shor's algorithm. 
O (log 3 N log log N log log log N) elementary q-bit operations are required to 
determine the primality of a number N, making it (asymptotically) the fastest 
known primality test. Thus, the potential power of quantum mechanical com- 
puters is once again revealed. 

PACS numbers: 03.65.Bz, 89.80. +h, 02.10.Lh, 

AMS 1991 subject classification: (Primary) 11Y05, 11Y11, 68Q10, 81V99 

(Secondary) 11A51, 11Y16, 68Q20 

Keywords: Computational Complexity, Pocklington-Lehmer N — 1 Primality Test, 
Quantum Computation, Quantum Factorization, Shor's Algorithm 



Typeset using REVTeX 



*Present address: Department of Physics, University of Hong Kong, Pokfulam Road, Hong Kong. 
E-mail: hfchau@hkusua.hku.hk 

tPresent address: BRIMS, Hewlett-Packard Labs, Filton Road, Stoke Gifford, Bristol, Bsl2 6QZ, 
U. K. E-mail: hkl@hplb.hpl.hp.com 



1 



Finding large primes and factorizing large composite numbers are two classic mathemat- 
ical problems of great practical interest. For instance, in the RSA public key cryptography, 
the key, which is made public, is the product of two large primes whose values are kept 
secret. The secret values of the two primes are needed to decode the encoded messages 
(ciphertexts). The security of this scheme lies in the difficulty in factoring large composites. 
More concretely, while multiplying two integers can be done in a time polynomial in the 
number of digits of the two integers (and hence "efficient"), the fastest factorization algo- 
rithm that runs on classical computers (or Turing machines) takes almost an exponential 
amount of time (~ exp(L 1 / 3 ) where L is the number of digits of the number to be fac- 
torized) [[[]]. Consequently, given the value of the public key, it is almost hopeless for an 
eavesdropper to attempt to break the RSA cryptographic scheme by factoring the key into 
two large primes. For this reason, finding an efficient factorization method is the dream of 
eavesdroppers. On the other hand, for additional security of the RSA scheme, the public 
key has to be changed frequently to avoid "accidental" factorization of the key. To fulfill 
this need, an efficient algorithm for proving the primality of a large integer is required. 

The possibility of performing classical computation by using quantum mechanical ma- 
chines has been investigated by various people 0-0]. Recently, Shor discovered an efficient 
quantum factorization algorithm |7|||: By using the massive parallelism and interference 
effect in quantum mechanics, which have no classical counterparts, Shor found an efficient 
method to compute the period of a function. This method immediately leads to efficient 
algorithms for both the discrete logarithm and factorization problems [(/J. Therefore, if a 
quantum mechanical computer is ever built, the RSA crypto-system will no longer be se- 
cure. Some people have even proposed that quantum cryptography will ultimately be the 
only way to ensure the security of a cryptosystem [P|-|i"^ . 

Primality testsQ are generally much easier than factorization. The APRCL test (based 
on Jacobi sum) is one of the most commonly used algorithms. The number of elementary 
bit operations needed for testing the primality of a number N is 0((log jV) clogloglogAr ) for 



some constant c > |]13| . Although the run time of this algorithm is not truly polynomial 
in logiV, it works reasonably fast for numbers of less than 1,000 decimal digits ||14|| . The 
first polynomial time probabilistic primality test was proposed by Goldwasser and Kilian 
r5fl using ideas from elliptic curves. Their algorithm was later implemented by Atkin and 
Morain |L4],|l6[]. Its run time scales as 0(log 6 iV). However, their algorithm assumes some 
unproven (although very plausible) conjectures in analytic number theory [|TBJ and may 
fail to work for an infinite sequence of (non-random) prime numbers jH]] even though it 
will never mis-identify a composite number as a prime. Finally, using ideas from Abelian 
varieties, Adleman and Huang [DJ discovered a polynomial time probabilistic primality test 
without any unproven hypothesis. However, their algorithm is extremely complicated and 
is totally impractical to implement |TJj . 

Further improvements may be possible. In fact, if we assume that validity of the (yet still 



1 A primality test is an algorithm which outputs "true" if and only if the input is a prime. It may 
not halt if the input is composite. This is to be distinguished from a compositeness test that may 
occasionally indicate a number as prime even when it is in fact composite. 
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unproven) Extended Riemann Hypothesis, then there is a deterministic primality test whose 
run time scales as 0((log iV) 4 log log log N) More recently, there is statistical evidence 
supporting the conjecture that the primality of a number N can be proven deterministically 
in 0((log N) 3 log log iV log log log N) time [fl9| . 



In this paper, we propose a straightforward probabilistic primality test based on the 
Pocklington-Lehmer N — 1 method using the quantum factorization algorithm. Its run time 
scales as O ( (log N) 3 log log iV log log log N) and is thus asymptotically faster than all known 
classical primality tests. In the discussion below, we will always assume that the number N 
has failed all common compositeness tests and hence is very likely to be a prime (see, for 
example, Refs. [l],|14|,f2(J for some simple and efficient compositeness tests). 



Note that the number of primitive residue classes (mod N) is N — 1 and the multiplicative 
group formed by the primitive residue classes has a generator of order iV — 1 if and only if 
iV is a prime |20|| . This leads us to the following theorem: 



Theorem 1: (Pocklington-Lehmer N — l test) Suppose N — l = YfjLiP/ with ally's distinct 
primes. If there exists a £ Zjv such that 

a (N-i)/ Pj ^ 1 ( mo diV) for j = 1,2,..., m 
a N - 1 = 1 (mod N) 



(1) 



then N is a prime |14|,|20 . 



Thus, the test consists of two parts, namely, the complete factorization of the num- 
ber N — 1, and the verification of conditions in Eq. ([[]). Since the test requires the 
complete factorization of a number, it is not a good general purpose primality test be- 
fore the discovery of Shor's quantum factorization algorithm. (As mentioned earlier, no 
efficient classical factorization method is known. The fastest known classical method for 
factorization is the number field sieve. Under reasonable heuristic assumptions, it takes 
0(exp(c(logM) 1 / 3 (loglogM) 2 / 3 )) elementary operations for some constant c > 21] to 
find a factor of a number M.) 

The situation is completely different after Shor's discovery. As shown in the Appendix A, 
Shor's algorithm requires 0((logM) 2 (loglogM) 2 log log log M) elementary q-bit operations! 
to find a factor of a composite number M, provided that M is not in the form of p n or 2p n 
for some odd prime number p. In the case that M is of the form p n for an odd prime p, 
there exists a classical algorithm to find p and n in O ( (log M) 2 (log log M) 2 log log log M) 



time JL4J]. Alternatively, we show in Appendix B that this can be done equally efficiently 
by using a quantum algorithm similar to Shor's algorithm. Since factorization of a prime 
power is much easier than that of a composite number with distinct prime factors, we shall 
only consider the latter in our computational complexity analysis. 



2 A quantum mechanical bit is now commonly called a "q-bit". Loosely speaking, coherent su- 
perposition of states allows a q-bit to hold more information than a classical bit. In addition, 
"elementary" here refers to operation in the form of unitary operator acting on one or two q-bits. 
Please refer to Refs. [22-p3] for constructions of "elementary" logical operators. 
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Let us consider the first part of the test — the complete factorization of the number 
N — 1. Suppose we would like to factorize M = N — 1 completely. Using Shor's algorithm, 
we can find a non-trivial factor / of M in O ( (log M) 2 (log log M) 2 log log log M) elementary 
operations. The problem then reduces to the factorization of the numbers / and Mj f. We 
can further speed up the process by extracting multiple factors of M, if any, by computing 
gcd(/, M/f). Clearly, this takes negligible time as compared to the Shor's algorithm. And 
the complete factorization of M is obtain by recursively applying Shor's algorithm m— 1 times 
where m is the number of distinct primes of M. Since the product of the first m primes is of 
order of 2 m ]2U| , so complete factorization of M requires the running of Shor's algorithm for at 
most O(logM) times. Thus, no more than O ( (log M) 3 (log log M) 2 log log log M) elementary 
operations are needed for running Shor's algorithm alone. In addition, we also need to verify 
that a complete factorization of M = iV — 1 has been obtained. That is, the p/s we have 
found in Theorem 1 are indeed prime numbers. Let us denote the number of elementary 
operations needed for the first and second parts of the primality test for a M by Pi (M) and 
P 2 (M) respectively. Also, let P(M) = Pi(M) + P 2 (M). From the above discussion, 

P x (AO 

m 

< ^P(pO + 0((logA) 3 (loglogA) 2 logloglogA) • (2) 

i=i 

Let us come to the second part of the test — the application of the Pocklington-Lehmer 
N — 1 test. We choose an integer m randomly and test if all the conditions in Eq. ([!]) 
are satisfied. Now there are at most O(logiV) such conditions. Using the power algo- 
rithm |25 |, verification of each condition in Eq. ([!]) requires 0(log A) multiplications. Using 



the Schonhangen and Strassen method, multiplying two number of size at most A can be 
done in 0(log A log log A log log log A) elementary operations Therefore, altogether 



O ( (log A) 3 log log A log log log N) elementary operations are needed for each random num- 
ber m chosen. It can be shown that the probability that a randomly chosen integer m 
satisfying all the conditions in Eq. (jl]) is at least 0(1/ log log A 7 ") f27j. Consequently, the 



total number of elementary operations needed for the second part of the test is given by 

P 2 (A) < 0( (log A) 3 (log log A) 2 log log log A) . (3) 

Notice that if Il^ 1 pf i is the prime number decomposition of a positive integer N (with 
Pi are distinct primes), then 

m 

^logPi<logA, (4a) 



^2 lo £ lo g Pi < lo S lo S N » ( 4b ) 

i=l 

and hence 

^(logp,) 3 < I ^ log Pi < (logA) 3 . (4c) 

8=1 \ 1=1 / 



4 



Therefore, 



^(logpi) 3 (log logpi) 2 (log log \ogp t ) 

8=1 

< (log A^) 3 (log log A^ ) 2 (log log log N) . (5) 

By induction, it is straightforward to prove from Eqs. ©— @ that 

P(N) = P^N) + P 2 {N) 

< O ( (log iV) 3 (log log A^) 2 log log log A^) . (6) 

Note that if A" is in fact a composite number, this primality test will never terminate. 
The Pocklington-Lehmer test gives a certificate for primality once the number A" passes it. 
On the other hand, Shor's algorithm is efficient for finding non-trivial factors of a number. 
Thus, Shor's algorithm and our quantum primality test are complimentary to each other. 

Although Eq. @ already tells us that the above quantum primality test algorithm is 
already better than all the classical algorithms known to date, we now go on to describe a 
fine tuning of our quantum algorithm which reduces the run time by a factor of log log N. 
As shown in the operation counting analysis above, both the quantum factorization and the 
verification of Eq. ([I]) are equally fast. Thus, in order to reduce the run time of the quantum 
Pocklington-Lehmer algorithm, we have to speed up both parts. 

To speed up the quantum factorization, we can perform trial divisions to eliminate 
all the prime factors of A" — 1 that are smaller than k. This can be done by ~ k 



divisions, taking 0(Hog A^ log log A^ log log log N) time [p6| . After the trial division, we 
can concentrate on the prime factors of A" — 1 that are greater than k. Clearly, at 
most 0(log Ay log k) distinct prime factors of AT — 1 are greater than k. So by com- 
bining the trial division with Shor's algorithm, N — 1 can be factorized completely in 
0(log A^ log log A^ log log log N(k + (log N) 2 log log N/ log k)) time. Optimal solution is ob- 
tained when we take the number of trial divisions k ~ (log A") 2 / log log N. Therefore, factor- 
ization oi N — 1 requires only 0((log N) 3 log log A" log log log N) elementary q-bit operations. 
(In case we have a prime number table up to the number k, then prime number theorem 
tells us that only 0(k/ log k) trial divisions are required. Using the same argument, we know 
that optimal solution occurs when k ~ log 2 N. However, the optimal number of elementary 
q-bit operations is still O ( (log N) 3 log log A" log log log N). That is, only a constant factor 
speed up is gained when we use a prime number table.) 

To speed up the verification of primality, we employ a variation of the Pocklington- 
Lehmer test by Brillhart et al. [f20| ,f28|j: 

Theorem 2: (Brillhart et al.) Suppose A^ — 1 = YYjLiP^ whh all Pj's distinct primes. And 
if, for each j = 1,2, ... ,m, there exists aj G Zjy such that 

W-DM ^ 1 (mod N) 

(7) 

af- 1 = 1 (mod N) 
then A^ is a prime. 
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Once again, we randomly choose an integer m and test if it satisfies Eq. ([F]). For each pj, 
the probability that a randomly chosen m satisfies the constraint mS N ~ l >' Pi ^ 1 (mod N) 
in Eq. ([/]) is at least 1/2. Thus, for each m, half of the constraints in Eq. ([/]) are satis- 
fied on average. Thus, we are almost sure to have found all the required aj by randomly 
picking m's and checking Eq. (0) a few times. Obviously, our new verification process takes 
O ( (log N) 3 log log N log log log N) time. Combining the quantum factorization with trial 
division, and Theorem 2, we have a 0((logiV) 3 log log iV log log log N) run time quantum 
primality test as promised. 

In summary, we have presented a probabilistic quantum primality test using a variation 
of the Pocklington-Lehmer N — 1 test and Shor's quantum factorization algorithm. Its run 
time scales as O ( (log N) 3 log log N log log log N). (Moreover, it requires 0(log 2 iV) bits of 
extra working space.) As far as we know, this is the (asymptotically) fastest primality test 
to date. Our quantum primality test can be further speeded up by a constant factor if we 
replace Theorem 2 by another variation of the Pocklington-Lehmer algorithm which involve 
only a partial factorization of iV — 1 (see Ref. [p0|1 , for example). 



It is interesting to know if there exist an even faster primality test. In particular, if the 
conjecture by Bach and Huelsbergen is correct, then there is a deterministic primality test, 
whose run time is as good as ours (i.e. 0((logiV) 3 log log iV log log log N) [|T^]. 
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APPENDIX A: SHOR'S ALGORITHM 

We outline the idea of Shor's algorithm below (See Refs. for details). To factorize a 
composite number M (which is assumed not to be a prime power), we prepare our system 
in the state 

2 L 

i*>=ii»> ( ai ) 

a=l 

with 2 L pa M 2 . This can be achieved by, say, setting L quantum spin- 1/2 particles with their 
spins pointing towards the positive x-direction (and all our measurements are performed in 
the ^-direction) . 

Then we evolve our wavefunction to 

1 2L 

i VI/ ) = ^Ei a ' mamodM ) > ( A2 ) 

o=l 

for some randomly chosen integer 1 < m < M with gcd(m, M) = 1. (If gcd(m, M) > 1, then 
we are so lucky that we have found a non-trivial factor of M by chance. The probability for 
this to happen scales exponentially with logM, and is therefore negligible.) The above evo- 
lution can be done using the power algorithm p5 |, which takes O(L) multiplications in 1m- 
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As mentioned in the text, multiplying two L-bit numbers using the Schonhagen and Strassen 
method, which is asymptotically the fastest known algorithm, requires O(LlogLloglogL) 
elementary bit operations [^,^]. Consequently, evolving the wavefunction from state ( |A1| ) 
to state (|A2|) takes 0(L 2 logLloglogL) elementary q-bit operations. Besides, it requires 
O(L) extra q-bits as working space during the computation. 

Now we make a measurement on the second set of q-bits in our system (which should 
take at most O(L) time). Thus, the wavefunction of our system for the first set of q-bits 
collapses to 

1 k 

\q) = —J2\ a o + pa) , (A3) 

where p is the order of the number m under multiplication modulo M, < a < k is some 
constant, and k = [(2 L — ao)/p] ■ 

To extract the order p, we perform a discrete Fourier transform, which evolves our system 

to 



v ^ c=0 o=0 



r 27u(a + pa)c 



\c) . (A4) 



This can be done in 0(L 2 ) elementary q-bit operations ||. Now the amplitude of our 
wavefunction is sharply peaked at \p). It can be shown that by making a measurement on 
the first set of q-bits, we have a probability of at least 0(1/ logL) of getting the correct order 
p [FU§. So, by repeatedly running our machine O(logL) times, we are almost sure to get 
the order p of the multiplicative group modulo M generated by the integer m. Therefore, it 
requires O ( (log M) 2 (log log M) 2 log log log M) elementary q-bit operations to find the order 
p of the group (m) . 

Now we hope that p is an even number and that gcd((m P//2 — l)mod M,M) is a non- 
trivial factor of M. It can be shown that for a randomly chosen m, the probability that the 
above algorithm does give a non-trivial factor of M is at least 1/2 provided that M is not 
of the form p k or 2p h for some odd prime p [§] . 

The remaining case is to recognize and factorize an odd number M in the form of a 
prime power. This can be done by classical probabilistic algorithms whose run time scales 
like 0((logM) 2 (loglogM) 2 log log log M) ]TJJ, which is negligible in comparison with Shor's 



algorithm. (See Appendix B for an equally efficient quantum prime power factorization 
algorithm.) Thus, we have an efficient way to factorize a composite number M. 

Combining Shor's algorithm with the classical factorization of prime powers, we are 
almost sure to find a non-trivial factor of M after O ( (log M) 2 (log log M) 2 log log log M) 
elementary q-bit operations. Moreover, the power algorithm is one of the major bottle 
necks in this method. 



APPENDIX B: QUANTUM PRIME POWER FACTORIZATION ALGORITHM 

Here we discuss a variant of Shor's algorithm that is useful for factoring a number M that 
is of the form p n for some odd prime p. Following Shor, we can find the order of a number 
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m which is relatively prime to M = p n in 0((logM) 2 (loglogM) 2 logloglogM) time. We 
denote the set of all integers in which are relatively prime to M by U(Zm)- It can be 
shown that U(1im) is a cyclic group of order p n_1 (p — 1) under multiplication modulo M 
||29|| . The group generated by m under multiplication modulo M, (m), is a sub-group of 
U(7*m)- The probability that the order of (m) is divisible by p n ~ x equals the probability 
that a randomly chosen element of Z p n-i( p _ 1 ) is relatively prime to p n ~ l , which is in turn 
equal to 1 — 1/p > 2/3. So, the greatest common divisor of the order of m and M has at 
least 2/3 chance of being p n ~ l . Thus, we have a probability of at least 2/3 of finding p by 
calculating Mj gcd(M, r) where r is the order of m. Once p is found, M can be factorized 
easily. The total time required scales as 0((logM) 2 (loglogM) 2 logloglogM). 
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